Which Actions Are HIPAA Violations? Examples, Scenarios, and Compliance Guidance

Knowing which actions are HIPAA violations helps you safeguard Protected Health Information (PHI) and avoid costly incidents. Below, you’ll find clear scenarios, red flags, and practical steps to strengthen compliance—across both paper records and Electronic PHI (ePHI).

Unauthorized Access to PHI

What it is

Unauthorized access occurs when someone views, uses, or discloses PHI without a legitimate need related to treatment, payment, or healthcare operations. Curiosity, convenience, or using another person’s login are not valid reasons and violate the minimum necessary standard.

Common scenarios

• Snooping on a neighbor, celebrity, or family member’s chart “just to look.”
• Accessing records after your role changes or employment ends.
• Sharing or reusing credentials; bypassing unique user IDs or audit trails.

How to stay compliant

• Implement role-based access controls and the minimum necessary principle for all systems.
• Require unique credentials and multifactor authentication; monitor audit logs regularly.
• Provide ongoing workforce training and promptly terminate access upon role changes.

Improper Disposal of PHI

What it is

Improper disposal exposes PHI when paper or electronic media are discarded without secure destruction. Robust PHI Disposal Procedures are essential for files, drives, copiers, and backup media containing ePHI.

Common scenarios

• Throwing paper records into regular trash or recycling bins.
• Donating or returning leased devices without verified data sanitization.
• Discarding prescription labels, wristbands, or appointment summaries intact.

How to stay compliant

• For paper: cross-cut shredding, pulping, or incineration with documented chain of custody.
• For Electronic PHI (ePHI): secure wipe, cryptographic erase, or physical destruction; confirm certificates of destruction.
• Use vetted disposal vendors under Business Associate Agreements (BAAs) and maintain disposal logs.

Sharing PHI Without Consent

What it is

Disclosing PHI outside permitted purposes without a valid authorization is a violation. This includes oversharing beyond the minimum necessary or releasing PHI to parties without a legitimate need.

Common scenarios

• Discussing patient details in public spaces (elevators, waiting rooms, social media).
• Emailing full records to an employer or school without patient authorization.
• Leaving voicemails with sensitive diagnoses or complete test results.

How to stay compliant

• Verify recipient identity and authority; use standardized authorization forms when required.
• Share only the minimum necessary; de-identify whenever feasible.
• Use secure messaging channels and enforce scripts for phone disclosures.

Loss or Theft of Devices Containing PHI

What it is

Unsecured laptops, smartphones, tablets, or removable media that store ePHI can trigger breaches if lost or stolen. The risk increases when devices lack Data Encryption and strong access protections.

Common scenarios

• Stolen laptop with unencrypted local files or cached emails.
• Lost USB drive containing unprotected backup reports.
• Personal phones used for work without mobile device management or remote wipe.

How to stay compliant

• Encrypt data at rest and in transit; enforce screen locks, biometric/PIN, and remote wipe.
• Maintain an asset inventory; restrict local storage and use approved, managed apps.
• Report incidents immediately, perform risk assessments, and follow the Breach Notification Rule when required.

Failure to Implement Adequate Security Measures

What it is

HIPAA’s Security Rule requires administrative, physical, and technical safeguards for ePHI. Missing foundational controls—like risk analysis, policies, or Access Controls—creates systemic vulnerabilities and can constitute violations.

Common scenarios

• No formal risk analysis or risk management plan; outdated policies and procedures.
• Shared accounts, weak passwords, or lack of audit log review.
• Unpatched systems, insecure Wi‑Fi, or unsupported software.
• Using cloud services or IT vendors without signed Business Associate Agreements.

How to stay compliant

• Conduct periodic risk analyses; implement and document mitigation plans.
• Enforce Access Controls, Data Encryption, backups, and tested incident response.
• Train the workforce regularly; manage vendors with BAAs and security due diligence.

Sending PHI to the Wrong Recipient

What it is

Misdirected communications expose PHI to unauthorized parties. Email typos, wrong fax numbers, or address mix-ups can all result in impermissible disclosures.

Common scenarios

• Emailing a summary to a similar but incorrect address.
• Faxing records to a wrong number listed in an old directory.
• Attaching the wrong patient’s file to a message thread in the EHR.

How to stay compliant

• Use verification steps: read-back, address validation, and secure portals with recipient authentication.
• Enable data loss prevention tools and warnings for external recipients.
• If misdirected, attempt retrieval, document mitigation, assess risk, and follow the Breach Notification Rule when applicable.

Failure to Provide Patients Access to Their Records

What it is

Patients have a right to access their records in a timely manner and in a reasonably requested format. Unnecessary delays, excessive fees, or refusal to send records to a designated third party can violate HIPAA.

Common scenarios

• Requiring in-person pickup when electronic delivery was requested.
• Charging non-cost-based fees or adding barriers that slow fulfillment.
• Ignoring requests to transmit to a caregiver, app, or specialist chosen by the patient.

How to stay compliant

• Maintain a clear request process with tracking, identity verification, and target timelines.
• Offer multiple delivery options (portal, secure email, mail) and honor patient format preferences when reasonable.
• Apply cost-based fees only; train staff to escalate and resolve access issues quickly.

Conclusion

HIPAA violations often arise from predictable gaps: weak Access Controls, inadequate Data Encryption, poor PHI Disposal Procedures, and mistakes in disclosure. Build layered safeguards, train your workforce, manage vendors with Business Associate Agreements, and respond promptly under the Breach Notification Rule to reduce risk and strengthen trust.

FAQs

What constitutes unauthorized access under HIPAA?

Any viewing, use, or disclosure of Protected Health Information (PHI) by someone without a legitimate, job-related need is unauthorized. Examples include curiosity-based snooping, accessing records outside your role, or using shared credentials. Strong Access Controls, unique user IDs, and audit reviews help prevent and detect this behavior.

How should PHI be properly disposed of?

Paper PHI should be cross-cut shredded, pulped, or incinerated with a documented chain of custody. For ePHI, use secure wipe, cryptographic erase, or physical destruction of media. Keep disposal logs and work with vetted destruction vendors under Business Associate Agreements, obtaining certificates of destruction.

What are the consequences of failing to notify a breach?

Failure to follow the Breach Notification Rule can lead to regulatory enforcement, monetary penalties, corrective action plans, and reputational harm. It can also compound the underlying incident by delaying mitigation. Timely investigation, documentation, and appropriate notifications reduce legal and operational risk.

How can organizations ensure HIPAA compliance?

Establish a comprehensive program: perform regular risk analyses, implement policies, enforce Access Controls and Data Encryption, train the workforce, and test incident response. Manage vendors with Business Associate Agreements, monitor audit logs, and continuously improve safeguards to address new threats and operational changes.